locked
Non-admin users are prompted for elevation when opening Task Manager - 2012 R2 RRS feed

  • Question

  • On an RDS deployment on a Windows Server 2012 R2 server, also a domain controller (single-server deployment), I would like non-admin users to be able to open Task Manager to see their own list of running processes.  But just trying to open Task Manager, the non-admin users are prompted for elevation.  What happened to the behavior where the Task Manager would open and show just that user's processes, and elevation was not required unless they tried to view all running processes?

    How can I change this behavior so non-admin users can use Task Manager to manage their own processes without an elevation prompt?

    Thank you,

    Michael


    Michael

    Sunday, March 6, 2016 1:48 PM

Answers

  • Hi Michael,

    Please log on as a normal user, open a command prompt, and enter the following two commands:

    whoami /groups>groups.txt

    notepad groups.txt

    Please examine the list of groups to see if there are any listed as deny.  If yes, these are the groups that you need to consider removing the users from so that the users are not prompted for elevation when running Task Manager.  For example, if the user is a member of Pre-Windows 2000 Compatible Access group you will need to consider if it is okay in your environment to modify membership so that normal user accounts are not a member.

    If unsure please post the contents of groups.txt from above and I will take a look.

    Thanks.

    -TP

    • Proposed as answer by TP []MVP Monday, March 7, 2016 9:27 PM
    • Marked as answer by Amy Wang_ Tuesday, March 8, 2016 8:54 AM
    Monday, March 7, 2016 2:36 PM
  • Hi,

    Yes, that will remove them from the group, however, I recommend you analyze and test to see if there are any applications in the environment that rely on that group membership to function properly.  If yes, then you can still resolve the issue, but first you will need to grant specific entities membership in the group and/or needed rights that the group provides.

    -TP

    • Marked as answer by Michael-IHT Monday, March 7, 2016 9:30 PM
    Monday, March 7, 2016 8:04 PM

All replies

  • What groups are the users members of, local and domain? Only reason I ask saw a strange issue on Windows 10 where users in the Network Configuration Operators I think it was were prompted when opening task manager like this.
    Sunday, March 6, 2016 9:13 PM
  • What groups are the users members of, local and domain? Only reason I ask saw a strange issue on Windows 10 where users in the Network Configuration Operators I think it was were prompted when opening task manager like this.

    Users are members of "Domain Users" and "Remote Desktop Users" only.  I took a test user and added it to the "Users" group as well, but this did not change the behavior.



    Michael

    Monday, March 7, 2016 12:56 PM
  • Hi Michael,

    Please log on as a normal user, open a command prompt, and enter the following two commands:

    whoami /groups>groups.txt

    notepad groups.txt

    Please examine the list of groups to see if there are any listed as deny.  If yes, these are the groups that you need to consider removing the users from so that the users are not prompted for elevation when running Task Manager.  For example, if the user is a member of Pre-Windows 2000 Compatible Access group you will need to consider if it is okay in your environment to modify membership so that normal user accounts are not a member.

    If unsure please post the contents of groups.txt from above and I will take a look.

    Thanks.

    -TP

    • Proposed as answer by TP []MVP Monday, March 7, 2016 9:27 PM
    • Marked as answer by Amy Wang_ Tuesday, March 8, 2016 8:54 AM
    Monday, March 7, 2016 2:36 PM
  • Hi Michael,

    Please log on as a normal user, open a command prompt, and enter the following two commands:

    whoami /groups>groups.txt

    notepad groups.txt

    Please examine the list of groups to see if there are any listed as deny.  If yes, these are the groups that you need to consider removing the users from so that the users are not prompted for elevation when running Task Manager.  For example, if the user is a member of Pre-Windows 2000 Compatible Access group you will need to consider if it is okay in your environment to modify membership so that normal user accounts are not a member.

    If unsure please post the contents of groups.txt from above and I will take a look.

    Thanks.

    -TP

    TP,

    Here is the output on that command.  Only the Pre-Windows 2000 Compatible Access group has deny.  I am not familiar with the use of this group.  Is this causing the issue?

    GROUP INFORMATION
    -----------------

    Group Name                                 Type             SID          Attributes                                        
    ========================================== ================ ============ ==================================================
    Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
    BUILTIN\Remote Desktop Users               Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
    BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
    BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Group used for deny only                          
    NT AUTHORITY\REMOTE INTERACTIVE LOGON      Well-known group S-1-5-14     Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
    LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
    Authentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
    Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192                                                    

    Thanks for you help.

    Michael



    Michael

    Monday, March 7, 2016 3:15 PM
  • Hi Michael,

    Yes, in your case Pre-Windows 2000 Compatible Access is causing the elevation prompt.

    -TP

    Monday, March 7, 2016 3:34 PM
  • Thank you, TP.  I just went into AD Users and Computers -> Builtin, open Pre-Windows 2000 Compatible Access group -> Members tab and found the only entry is Authenticated Users (NT Authority).  Do I simply remove this to resolve the issue?

    Thanks, Michael.


    Michael

    Monday, March 7, 2016 6:52 PM
  • Hi,

    Yes, that will remove them from the group, however, I recommend you analyze and test to see if there are any applications in the environment that rely on that group membership to function properly.  If yes, then you can still resolve the issue, but first you will need to grant specific entities membership in the group and/or needed rights that the group provides.

    -TP

    • Marked as answer by Michael-IHT Monday, March 7, 2016 9:30 PM
    Monday, March 7, 2016 8:04 PM
  • Thank you, TP.  I removed that entry and Task Manager no longer prompts for creds.  I launched several programs on the server and did not have any issue.  Will keep my eye on it, but I think we are set.  Your help is much appreciated, thanks again.

    Michael


    Michael

    Monday, March 7, 2016 9:11 PM